"Triangulation" infected dozens of iPhones belonging to employees of Moscow-based Kaspersky:
Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.
"The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities," Kaspersky researcher Boris Larin wrote in an email. "Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering."
[...] The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.
With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn't survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.
[...] The most intriguing new detail is the targeting of the heretofore-unknown hardware feature, which proved to be pivotal to the Operation Triangulation campaign. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel. On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system.
On Apple devices equipped with these protections, such attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes, or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, which has rarely been defeated in exploits found to date, is also present in Apple's M1 and M2 CPUs.
[...] The researchers found that several of MMIO addresses the attackers used to bypass the memory protections weren't identified in any device tree documentation, which acts as a reference for engineers creating hardware or software for iPhones. Even after the researchers further scoured source codes, kernel images, and firmware, they were still unable to find any mention of the MMIO addresses.
[...] The findings presented Wednesday also detail the intricacies of the exploit chain that underpinned the Triangulation infections. As noted earlier, the chain exploited four zero-days to ensure that the Triangulation malware ran with root privileges and gained complete control over the device and user data stored on it.
[...] Wednesday's presentation, titled What You Get When You Attack iPhones of Researchers, is a further reminder that even in the face of innovative defenses like the one protecting the iPhone kernel, ever more sophisticated attacks continue to find ways to defeat them.
"We discover and analyze new exploits and attacks using them on a daily basis," Larin wrote. "We've discovered and reported more than thirty in the wild zero-days in Adobe/Apple/Google/Microsoft products, but this is definitely the most sophisticated attack chain we've ever seen."
(Score: 2, Troll) by crafoo on Saturday December 30, @08:23PM (2 children)
completely unfounded speculation, but it certainly smells like a state-actor with direct knowledge of 'undocumented features'
(Score: 2, Troll) by RS3 on Saturday December 30, @08:43PM (1 child)
Maybe. What grinds my gears is that the mechanism involves an "undocumented hardware feature":
What kind of special arrogant ignorance does it take to think that nobody will ever figure it out and exploit it? How can the phones be made secure unless Apple and the chip suppliers have a direct, but secret hand in making all software for iPhones, especially any kind of "security"
theatersoftware?
(Score: 2) by crafoo on Saturday December 30, @08:59PM
absolutely agree. and in fact this type of arrogant ignorance leads me to believe the exploit is intentional and the product of lifelong bureaucrats/spooks that insisted on it, who simply believed it would never be found by their adversaries.
(Score: 1, Flamebait) by RamiK on Saturday December 30, @08:49PM
Last month we were told it's over competitiveness and interoperability even though iMessage is barely used in the EU so it wouldn't make sense for a non-competitive or interoperability regulatory action to be taken: https://9to5mac.com/2023/11/16/apple-rcs-coming-to-iphone/ [9to5mac.com]
Well, now it all makes far more sense.
compiling...
(Score: 1, Offtopic) by Mojibake Tengu on Saturday December 30, @09:08PM
Best link I appreciated in the article is this one:
https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/web [apple.com]
It reminds me of old times.
The first time I demonstrated clean subjugating of a C++ object virtual methods table to impress someone was on 16-bit code, Zortech C++ compiler.
Good old days, no creepy templates in C++ yet. The platform was Windows/286. Yes, DOS. Clumsy as it sounds.
Thirty years later, do you think LLVM today is any better?
I tell you what: I ceased to use KDE4 in 2009 for a reason... sticking to Fluxbox since.
Respect Authorities. Know your social status. Woke responsibly.